tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure...

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py
index 5ffdba41e99df8832653d98a4be870f746f12696..b2625cc4013701cdc4e9e66ca8bbae5bd25a1d52 100755 (executable)
--- a/python/samba/tests/krb5/authn_policy_tests.py
+++ b/python/samba/tests/krb5/authn_policy_tests.py
@@ -5382,18 +5382,24 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
         self.discardMessages()
 
         # Show that obtaining a service ticket with RBCD is not allowed.
-        self._tgs_req(service_tgt, KDC_ERR_POLICY, service_creds, target_creds,
-                      armor_tgt=mach_tgt,
-                      kdc_options=kdc_options,
-                      pac_options='1001',  # supports claims, RBCD
-                      additional_ticket=client_service_tkt,
-                      decryption_key=target_decryption_key,
-                      expect_edata=self.expect_padata_outer,
-                      check_patypes=False)
+        self._tgs_req(
+            service_tgt, KDC_ERR_POLICY, service_creds, target_creds,
+            armor_tgt=mach_tgt,
+            kdc_options=kdc_options,
+            pac_options='1001',  # supports claims, RBCD
+            additional_ticket=client_service_tkt,
+            decryption_key=target_decryption_key,
+            expect_edata=self.expect_padata_outer,
+            expected_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+            check_patypes=False)
 
-        self.check_tgs_log(client_creds, target_creds,
-                           policy=policy,
-                           checked_creds=service_creds)
+        self.check_tgs_log(
+            service_creds, target_creds,
+            policy=policy,
+            checked_creds=service_creds,
+            status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+            event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+            reason=AuditReason.ACCESS_DENIED)
 
     def test_authn_policy_allowed_to_user_allow_rbcd_wrong_sname(self):
         samdb = self.get_samdb()
@@ -5460,8 +5466,9 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
                       expect_edata=self.expect_padata_outer,
                       check_patypes=False)
 
-        self.check_tgs_log(client_creds, target_creds,
-                           checked_creds=service_creds)
+        self.check_tgs_log(service_creds, target_creds,
+                           checked_creds=service_creds,
+                           status=ntstatus.NT_STATUS_UNSUCCESSFUL)
 
     def test_authn_policy_allowed_to_user_allow_constrained_delegation_to_self(self):
         samdb = self.get_samdb()
@@ -5974,8 +5981,11 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
                       expect_edata=self.expect_padata_outer,
                       check_patypes=False)
 
-        self.check_tgs_log(client_creds, service_creds,
-                           policy=policy,
+        self.check_tgs_log(service_creds, service_creds,
+                           # The failure is not due to a policy error, so no
+                           # policy appears in the logs.
+                           policy=None,
+                           status=ntstatus.NT_STATUS_UNSUCCESSFUL,
                            checked_creds=service_creds)
 
     def test_authn_policy_allowed_to_computer_allow_user2user(self):

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 180b2efbf99996c51ca539e1ec355ebda393ae0b..4ffeb5ab6a415277ee0c6fc0f4314c4b342c2d0f 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -80,8 +80,6 @@
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd_wrong_sname.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_rbcd.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_rbcd_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_not_allowed_rbcd_to_self.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_rbcd_not_allowed_from.ad_dc